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^ ; Abstract 



This paper establishes a novel analytical approach to quantify robustness of 
scheduling and battery management for battery supported cyber-physical sys- 
tems. A dynamic schedulability test is introduced to determine whether tasks 
. are schedulable within a finite time window. The test is used to measure robust- 

ness of a real-time scheduling algorithm by evaluating the strength of computing 
time perturbations that break schedulability at runtime. Robustness of battery 
' management is quantified analytically by an adaptive threshold on the state of 

. charge. The adaptive threshold significantly reduces the false alarm rate for 

' battery management algorithms to decide when a battery needs to be replaced. 

o' 

Categories and Subject Descriptors: C.3 [Special-Purpose and Application-Based 
Systems]: Real-time and embedded systems ; D.4.1 [Operating System]: Process 
^ ' yianagement-Scheduling; G.4 [Mathematical Software] 

' General Terms: Algorithms, Design, Performance, Reliability, Management, Theory 

00 ' Additional Key Words and Phrases: Cyber-physical systems, battery management, 

dynamic timing model, dynamic schedulability test 



1 Introduction 

Cyber physical systems (CPS) theory represents a novel research direction aim- 
. , ing to establish foundations for a tight integration of computing and physical 

■ processes [33 EZl ^M- CPS research unifies domain specific design methods 

for subsystems to achieve desirable overall performance of the entire system. 
We are interested in battery supported CPS (CPSb) where control of physical 
systems and the underlying computing activities are confined by battery ca- 
pacity, such as mobile devices. In CPSb, the battery, the actuators and the 
sensors can be viewed as physical components, while the embedded computers 
can be viewed as cyber components. The cyber and the physical components 
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interact with each other so that no complete understanding can be gained by 
studying any component alone. The total discharge currents from the battery 
include currents drawn from all cyber and physical components as results of 
the interactions between these components. In order to estimate the remaining 
capacity of the battery or predict the remaining battery life, knowledge of the 
interactions among all cyber-physical components are necessary. 

CPSb can be tested and verified using computer simulation tools that sim- 
ulate all its components. Intensive simulations at the design phase usually 
achieve tolerance of perturbations that can be predicted. Prototypes of CPSb 
can then be verified using experiments. Exhaustive simulations and experiments 
are usually labor intensive and costly. Simpler yet less expensive approaches are 
desirable. 

We propose an analytical approach to study CPSb. The analytical approach 
combines simplified mathematical models that capture the characteristic be- 
haviors of each component of a CPSb. This approach is approximate in its 
nature. But since all CPSb components are modeled uniformly with math- 
ematical equations, interactions between the CPSb components are naturally 
described as coupling terms between the mathematical models. Hence the ana- 
lytical approach is well suited for gaining insight into the interactions among the 
CPSb components. Furthermore, mathematical insights into CPSb are greatly 
appreciated when perturbations unpredictable at the design phase may force 
the systems to work in conditions that are near or beyond the design envelopes 
where reliability becomes less guaranteed. 

In this paper, we follow an analytical approach to develop mathematical tools 
to measure robustness of real-time scheduling algorithms and battery manage- 
ment algorithms for CPSb during runtime. The mathematical tools produce 
exact solutions in terms of mathematical formulas to describe the interactions 
between embedded computers and batteries, which are complementary to results 
obtained using simulation or experimental methods. In the rest of the intro- 
duction, we briefly review some background knowledge from literature that is 
closely related to our work, followed by the research problems addressed and 
the contributions made by this paper. 

1.1 Literature Review 

An important branch of real-time systems research is to study schedulabilty. It 
tries to ascertain whether a set of real-time tasks can be computed by a pro- 
cessor under proper scheduling. The study of utilization based schedulability 
tests can be traced back to the rate monotonic scheduling (RMS) and earliest 
deadline first scheduling (EDF) [22] ■ It has been shown that if a set of real-time 
tasks fall below a utilization bound, then they will be schedulabe. Since then, 
extensive research has been conducted on periodic tasks to improve the utiliza- 
tion bounds [551 HH IH] or to relax assumptions [231 IS] that are used to derive 
these bounds. Some important utilization bounds for non-periodic systems are 
also derived in [T]. Schedulability tests based on utilization bounds are easy 
to compute. Therefore, they are often used during runtime (online), but are 
constrained by limited computational power. Schedulability tests based on uti- 
lization bounds are typically conservative because they can fail on schedulable 
task sets. This drawback leads to exact schedulability tests [H[151[T7]. Some 
recent advancements have been reported on exact schedulability tests [3] |3S] 
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with improved computational efficiency. 

Robustness is well studied for feedback control systems and has seen suc- 
cessful applications \iO^. For real-time scheduling, robustness is introduced as 
a measure of the tolerance of a scheduling algorithm to variations in computing 
time e.g. perturbations [33l |32j [7] . These works measure robustness by using a 
scaling factor (greater than one) for computing times that are long enough to 
cause a loss of schedulability. The robustness measure is computed using the 
binary search method, which limits it to non-periodic tasks. Based on this no- 
tion of robustness, the method of elastic scheduling [TOl [12] adjusts the periods 
of tasks to accommodate runtime perturbations. 

Prediction of the state of charge (SoC, or the remaining battery capacity) is a 
basic function for all battery management algorithms |31) . A dynamic nonlinear 
battery model [2] and a particle filter will be used to predict the SoC in this pa- 
per. Different scheduling and control methods result in different "load profiles" 
that affect the operational life of a battery, hence various battery management 
algorithms are proposed [29l[T9] to adjust the scheduling and control to prolong 
battery life. These previous results usually rely on optimization methods. 

1.2 Research Problems and Contributions 

We provide robustness analysis for CPSb by measuring robustness of both real- 
time scheduling and battery management algorithms. Two types of pertur- 
bations are studied in this paper: perturbations to the computing times of 
real-time tasks, and perturbations to the SoC and parameters of batteries. The 
perturbations to the computing times may extend or shorten the time spent to 
compute real-time tasks. The perturbations to the SoC may increase or decrease 
the SoC. We assume that these perturbations have not been accounted for at 
the design stage, but have to be tolerated at runtime. 

• How is robustness measured? Robustness of a real-time scheduling 
algorithm is measured as the maximum strength of perturbations on the 
computing times of scheduled tasks that will not cause loss of schedula- 
bility. Robustness of a battery management algorithm is measured by its 
ability to trigger the switching of a used battery out of the system before 
the SoC of the battery drops below a threshold that indicates instability, 
even under perturbations to the SoC and battery parameters. 

• What methods are developed to study robustness of real-time 
scheduling algorithms? We first developed a new mathematical model 
for the scheduled behaviors of real-time tasks. We then study schedu- 
lability of these tasks within a receding finite time window, and devise 
a dynamic schedulability test to give sufficient and necessary conditions 
for schedulability of acyclic task sets (e.g. tasks that are not necessarily 
periodic) under any priority based scheduling algorithm. The maximum 
strength of the perturbations that will not break schedulability can then 
be determined analytically. This tolerable strength of the perturbations 
provides a measure for robustness of the scheduling algorithm employed. 

• What methods are developed to study robustness of battery 
management algorithms? The mathematical models of real-time schedul- 
ing are combined with the controllers developed in our previous work ^32] 
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to generate predictions for the total battery discharge current. This pre- 
diction is then used to predict the SoC of batteries analytically at run- 
time. Due to nonlinearities inherent in battery behaviors, we introduce a 
measure for the robustness of battery management algorithms based on 
Lyapunov stability criteria |18| . We then introduce an adaptive battery 
switching algorithm based on the Lyapunov stability test to determine 
when used battery should be replaced. 

• What are the contributions for CPS? Wc have developed unified 
mathematical models for real-time scheduling in embedded computers that 
form the cyber components of CPSb, and for the discharging of batteries 
that form the physical components of CPSb. These mathematical models 
are also integrated with the feedback controller developed in our previous 
work |39j . By combining these mathematical models, we are able to study 
the interactions between the cyber and physical components analytically, 
this is well aligned with the main theme of CPS research. Several benefits 
have been generated by this analytical approach: 

— Our robustness analysis incorporates both real-time scheduling and 
battery management algorithms. These results have not been re- 
ported in literature. The robustness measures are able to account for 
situations at runtime that are unexpected at the design stage. 

— The dynamic schedulability test is an exact schedulability test for 
non-periodic task sets. We have also generalized the notion of ro- 
bustness from periodic task sets to non-periodic task sets. These 
results are novel and complementary in comparison to the literature 
reviewed. 

— Compared to existing battery management algorithms that use fixed 
thresholding for output voltage or for SoC [ISl [THl HBj to determine 
when to replace a used battery, our adaptive battery switching algo- 
rithm effectively reduces the false alarm rate. 

The paper is organized as follows. Section [5] discusses robustness of real-time 
scheduling algorithms. Section [3] studies robustness for battery management 
algorithms. Section H] demonstrates the applications of the mathematical tools 
developed in this paper to a typical CPSb. Section [5] provides summary and 
conclusions. 

2 Robustness of Real-time Scheduling Algorithms 

A real-time scheduling algorithm assigns priorities to a set of real-time tasks so 
that all tasks can be computed on time on a processor. At the design phase of 
a real-time system, the parameters of tasks, such as computing times and dead- 
lines, are usually determined based on desired performance and experimental 
data. We call these parameters the nominal characteristics. During runtime, 
the actual computing times and deadlines may deviate from the nominal val- 
ues due to variations in the software, hardware, and the environment. These 
deviations are usually considered as online perturbations. For perturbations 
that can be predicted at the design phase, such as changes in task modes, the 
"design-of-experiments" method may be applied to verify whether a scheduling 
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algorithm can tolerate such perturbations [71 [TB]. Usually there exist online 
perturbations that may be difficult to predict at the design stage, such as the 
transient overload of certain tasks and the arriving of unexpected tasks. In this 
section, we introduce mathematical tools to measure tolerance of a real-time 
scheduling algorithm to online perturbations. 

Perturbations occurring online can change timing of the real-time tasks. 
It can cause a set of schedulable tasks to become unschedulable. Thus it is 
necessary to introduce a way to evaluate the schedulability during runtime as 
follows: 

Definition 2.1 A dynamic schedulability test over a time interval [ta, tb] checks 
if all task instances are able to meet their deadlines within [ta,tb\. 

As the starting time ta increases, the time interval [ia,tfc] will slide forward. 
The length of the interval {tf, — ta) depends on how confident we are to predict 
the actual characteristics of the real-time tasks to perform the schedulability 
test. All mathematical tools developed in this section are centered around the 
dynamic schedulability test within the time interval [ta,tb\. 

2.1 A Task Model 

For theoretical rigor, let us define the task set that will be scheduled, which 
will include both periodic and aperiodic (non periodic) tasks. We consider a 
task set F of independent hard real-time tasks F = {ti, T2, • • • , tjv} running 
on a single processor. Let t„ be any task in F. Each task in F consists of an 
infinite sequence of instances. We use the notation to represent the fc-th 
instance of task t„. The instance is characterized by its time of arrival a^, 
its computing time C,^ and its relative deadline measured from its time of 
arrival. The absolute deadline of r,^' is then defined as a'^ +T^- 

For theoretical rigor, we make all tasks in the task set F acyclic (|Tj) as 
defined befow: 

Definition 2.2 A task Tn is acyclic if and only if Tn satisfies the following 
properties: 

1. different instances of Tn are allowed to have different computing times and 
different relative deadlines, as long as Q < C^' < and > for all k; 

2. the time of arrival of a new task instance coincides with the absolute dead- 
line of the previous task instance of the same task, i.e. a^''^^ = aj"j + 
for all k. 

Figure [1] demonstrates an acyclic task. The horizontal line represents the 
progression of time. The upward arrows represent the times of arrival of new 
task instances, and the rectangles represent the computation of task instances. 
The computing times and the relative deadlines are also marked. These plotting 
conventions will be followed by other figures in Section [51 

We use the acyclic task model because it is universal: (1) any periodic task 
can be represented by an equivalent acyclic task. For example, a periodic task 
with computing time 2 and period 5 can be represented by an acyclic task with 
C^' — 2 and — 5 for all k; (2) any set of non periodic tasks, i.e. tasks with 
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Figure 1: Illustration of one acyclic task scheduled on a processor. Three task 
instances indexed by fc — 1, /c, and k + 1 are plotted. 



irregular arriving instances, can be represented by an equivalent set of acyclic 
tasks pj. 

We want to model the scheduled behaviors of the real-time tasks at any 
time t. Some new notations that are only slightly different from the classical 
notations for acyclic tasks are necessary. 

Definition 2.3 At any time t, an instance of Tn is effective ij and only if it 
has arrived before time t but has not expired, i.e., is effective at time t if and 
only if 

al<t<al+Tl (1) 

Definition 2.4 At any time t, Cn{t) is defined as the computing time of the ef- 
fective instance ofT„ andTn{t) is defined as the relative deadline of the effective 
instance of Tn, i.e. 

Cn{t) = Cl and Tn{t)^T!: if a'^<t<a'^ + Tl (2) 
2.2 The Dynamic Timing Model 

In this section, we derive a mathematical model that describes the scheduled 
behaviors of a set of acyclic tasks within [ta. tt] under any scheduling algorithm. 
We rely on the following assumption: 

Assumption 2.5 At the starting time ta we assume that the values o/{C„(t)}^^ 
and {Tn{t)}n=i for t £ [ta,tt,] are predictable. 

Several key concepts will be defined including the state variables, the fixed 
priority window, and the dynamic timing model. 

2.2.1 State Variables 

The state variables are usually used to to derive differential or difference equa- 
tions that describe dynamic systems behaviors [9 . To describe the dynamic 
behaviors of scheduled tasks, we define two state variables and one auxiliary 
variable as follows. 

Definition 2.6 The dynamic deadline Q{t) is defined as a vector Q{t) = [qi{t), 
. . . ,qisfit)]. Each qn{t), for n = l,2,...,iV, is the length of the time interval 
starting at the time instant t and ending at the absolute deadline for the effective 
instance of t„ . 

In other words, suppose is an effective task instance, then qn{t) = a'l[+T^^ —t 
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(b) Fixed Priority Window 

Figure 2: Three acyclic tasks scheduled on one processor 



Definition 2.7 The spare S{t) is defined as a vector S{t) — [si{t), SN{t)], 
where s„{t), for n — 1, 2, N , denotes the amount of CPU time that is available 
to compute the effective instance of Tn from its time of arrival to time instant 
t. 

Definition 2.8 The residue R{t) is an auxiliary variable that is defined as a 
vector Rit) = [ri(t), rjv(t)], where rn{t), for n — 1,2,...,N, denotes the 
remaining computing time required after time t to finish computing the effective 
instance of t„ . 

We use the following example to ftirther explain the meaning oi Q, R and 
S. For ease of demonstration, we consider three periodic tasks. 

Example 1 Consider tasks {ti,T2tTi,} with[Ci{t),C2{t),C3{t)] = [0.5,1,2] and 
[Ti{t),T2{t),T3{t)] = [3,4,6] fort £ [0,+oo). The three periodic tasks are sched- 
uled under a fixed priority preemptive scheduling algorithm such that the priority 
of Ti is higher than T2 , and the priority of T2 is higher than T3 . 



Figure 2(a) demonstrates the computation of {Ti,r2,T3} on one processor. 
We use the same plotting conventions as in Figure [TJ where the upper arrows 
indicate the times of arrival of the task instances. It can be observed that the 
computation of lower priority tasks are interrupted by the computation of higher 
priority tasks. When t — 4.5, r^, t| and T3 are the effective instances of the 
three tasks with time of arrival 3, 4 and respectively. 

We can observe that at t = 4.5, , t| and Tg will expire at 6, 8 and 6 



respectively. Thus, according to Definition 12.61 the relative deadlines are 



[gi(4.5), 52(4.5), ^3(4.5)] = [6 - 4.5, 8 - 4.5, 6 - 4.5] - [1.5, 3.5, 1.5]. (3) 
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After t = 4.5 only t| has not finished computing. Therefore, the remaining 
computing times after t = 4.5 are 0, 0.5 and 0. By Definition 12.81 we have 

[ri(4.5),r2(4.5),r3(4.5)] - [0,0.5,0]. (4) 

For Ti with time of arrival at 3, since no higher priority task is computed within 
[3,4.5], all the CPU time within [3,4.5] is available for rf. For t| with time of 
arrival at 4, since no higher priority task is computed within [4, 4.5], all the CPU 
time within [4,4.5] is available for t|. For Tg with time of arrival 0, since the 
CPU time within [0, 1.5], [3,3.5] and [4,4.5] is allocated to the higher priority 
tasks, only the CPU time within [1.5,3] and [3.5,4] is available for T3. Thus, 
according to Definition 12.71 we have that 

[si(4.5),S2(4.5),S3(4.5)] = [1.5,0.5,2]. (5) 

Similarly, at t — 9.25, we can find 

g(9.25) = [2.75, 2.75, 2.75], i?(9.25) = [0.25, 0, 0.5], S'(9.25) = [0.25, 1, 1.5]. 

, , (6) 

It is worth mentioning that s„(t) is the amount of CPU time available to 
compute the effective instance of task t„, but not necessarily the amount of 
CPU time actually taken by that instance. If s„(i) < C„(t), then the amount 
of CPU time spent to compute the effective instance of task t„ will be s„{t), 
which makes r„(i) = C„(<) — Sn{t)- On the other hand, if s„(t) > Cn{t), then 
the amount of CPU time spent to compute the effective instance of t„ will only 
be Cn(t), and the extra CPU time will be given to tasks with lower priority 
than T„. In this case r„(t) will be zero since no more computing time is needed. 
Therefore, 

r„(t) =max{0,C„(t) - .s„(t)}. (7) 

This equation shows that R{t) solely depends on S{t), and explains why R{t) is 
not a state variable. However, R(t) is more convenient to use for developing the 
dynamic timing model and the scheduled behavior in Section [2 . 2 .41 and Section 

2.2.2 Scheduling Algorithms 

We will now rigorously define a scheduling algorithm, which will be used by 
our mathematical models for the scheduled tasks later. Let S = {1, 2, N} be 
the set of indices of tasks and let the function Card(-) measure the number of 
elements in a set. Let hp{n, t) denote the set of tasks with priorities higher than 
T„ at time t. One way to formally define a scheduling algorithm is as follows. 

Definition 2.9 A scheduling algorithm is a set-valued map between S x i?+ 
and the collection of all subsets of S. It is parametrized as hp{n, t) where n G S 
and t G TZ~^ so that hp{n,t) C hp{m,t) if Caj:d{hp{n,t)) < Card(/ip(m, t)). 

For example, assume all tasks are periodic and the RMS algorithm f57j is 
used to assign fixed priorities. Suppose that tasks are labeled according to the 
length of their periods i.e. tasks with longer periods have larger indices. Then 
we have: 

hp{n,t) = {l,2,...,n-l}. (8) 
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Consider another example where a dynamic priority scheduling algorithm 
such as the EDF algorithm is used. Then, the values of hp{n, t) depend on 
Q{t). At any time t, the EDF assigns higher priorities to the tasks whose 
effective instances have closer absolute deadlines. According to the definition of 
Q{t), tasks whose effective instances having closer absolute deadlines also have 
smaller dynamic deadlines. Thus, for the EDF, the tasks with smaller values 
of qn{t) are assigned higher priorities. When two tasks have the same dynamic 
deadlines, we assume that a higher priority is assigned to the task with a smaller 
index. Hence, the set hp{n, t) can be expressed as 

hp{n,t) = {ijeither qi{t) < qn{t), or qi{t) = (?ri(0 and i < n}. (9) 
2.2.3 Fixed priority window 

Let us consider the time interval [ta,tb\ where the schedulibility of the tasks is 
concerned. We further divide [ta, tf,] into consecutive sub-intervals [tf{w), tf{w-\- 
1)), where = ta and w ~ 1, 2, • • • . We require each sub-interval to be a 

fixed priority window as defined below: 

Definition 2.10 A time interval [t f (w) , t f (w + 1)) is a fixed priority window 
if no instance of any task arrives within {tf{w),tf{w + 1)). 

In other words, task instance can only arrive at either tf{w) or tf^w + 1) but 
not in between. 

To better understand this definition, we consider Figure 2(b) as an example: 
[0, 3) is a fixed priority window because no new instance of any task arrives 
within (0,3); and [0,4) is not a fixed priority window because the task instance 
Ti arrives at time 3 G (0,4). 

The advantage of dividing [ta,tb\ into consecutive fixed priority windows is 
that real-time tasks within each fixed priority window [tf{w),tf{'w + 1)) are 
relatively easier to be modeled. These models can then be concatenated to 
derive more complex models for the scheduled behaviors on [ia,ib]- 

Next, we study how to divide [ta, tb] into consecutive fixed priority windows. 
We denote the length of each window by Lf{w), i.e 

Lf{w)^tf{w + l)-tf{w), (10) 

then each window \tf(w),tf(w + 1)) can be rewritten as [t f (w) , t f (w) + Lf{w)). 
Hence, the partition of [tajib] into fixed priority windows is determined by the 
window length Lf(w) for w — 1,2, ■ ■ ■ . To determine the value of each Lf{'w), 
we have the following claim 

Claim 2.11 For a set of acyclic tasks, at the beginning of any sub-interval, i.e. 
tf{w), if we choose Lf{w) <jmTi{qi{tf{w)), ...,qpf{tf{w))}, then [tf{w),tf{w) + 
Lf{w)) is a fixed priority window; otherwise, [tf{w),tf{w)+Lf{'w)) is not a fixed 
priority window. 

Proof At the beginning of any sub- interval, i.e. tf(w), consider the dynamic 
deadlines Q{tf{w)) = [qi{tf{w)),... ,qN{tf{w))], as defined in Definition 12.61 
According to the definition of Q{tf{w)), we know that the next task instance 
after </(w) arrives at tf{w) + mm{qi{tf{w)), qpf{tf{w))}. 
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If we choose Lf(w) — niin{qi(i/(zi;)), gAr(t/(u'))}, then no new instance 
of any task arrives in between {t f (w) , t f (w) + L f (w)) . Therefore, [tf{'w),tf{w) + 
Lf{w)) is a fixed priority window. 

On the other hand, if we choose Lf{w) > niin{qi(i/(?x;)), ...,qis[{tf{w))}, the 
next task instance after tf(w) will arrive in between (tf{w),tf{w) + Lf{w)). 
Therefore, [t f (w) , t f (w) + Lf(w)) is not a fixed priority window. ■ 

The division of [ta , ib] into consecutive fixed priority windows is carried out 
using the following procedure. At the beginning of the first sub-interval, let 
tf{\) = ta, we choose the first window length L{\) to make the sub-interval 
-f a fixed priority window. Then by letting tf{2) = tf{l) + 

Lf{l) and choosing a window length (2), the second sub-interval [tf{2),tf{2) + 
Lf{2)) can be made a fixed priority window. The process is repeated untill one 
sub-interval reaches the ending time tb- According to Claim [^TTTl we know that 
the largest possible window length L f (w) can be expressed as 

Lf{w) =mm{qi{tf{w)),...,qN{tf{w)),tb~tf{w)} (11) 

where the extra term tb — tf{w) guarantees that the division procedure stops 
at time tb- A larger window length is preferred since it reduces the complexity 



in modeling the behaviors of tasks. Figure 2(b) shows an example of dividing 
the time interval [0, 12] into a series of consecutive fixed priority windows for 
Example [T] discussed previously. 



2.2.4 Evolution of the state variables 

With the state variables well defined in Section 2. 1[ we are now ready to define 
the dynamic timing model as follows: 

Definition 2.12 The dynamic timing model is a set of equations that describes 
the evolution of the state variables over time t. 

For simplicity, we focus here on the evolution of the state variables within one 
fixed priority window [t f (w) , t f (w) + Lf(w)). Later, the evolution of the state 
variables within any time interval [ta,tb\ can be obtained by concatenating the 
models within each fixed priority window that belongs to [ta, tb]. For notational 
simplicity, we will drop the index w. Moreover, we will use t~ to denote the time 
point that is less than t but is arbitrarily close to t. Thus, the fixed priority 
window [tf{w),tf{w) + Lf{w)) can now be equivalently written as [tf,{tf + 
Lf}-]- 

In the dynamic timing model, the evolution of the state variables Q{t) and 
S{t), from the end of the last fixed priority window tj to any time within the 
current fixed priority window t € [tf,{tf + Lf}^], can be derived in two steps: 
from tJ to tf, and from tf to t. 

From tJ to tf-. First, we discuss the evolution for the state variables from tJ 
to tf. For task t„, the values of the state variables at time tf, denoted by qn{tf) 
and Sn{tf), depend on whether an instance of r„ arrives at tf. 
(1) if no instance of r„ arrives at tf then the dynamic deadline for t„ is un- 
changed and must be positive i.e. qn{tj) > 0, and all state variables hold their 
values from tJ to tf, i.e., 

when q„{tj) > : q«(t/) = <7n(i7) and s„(i/) = s„(t7) . (12) 
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(2) if an instance of t„ arrives at tf then the dynamic deadhne for t„ will be 
reset to at tj i.e. qn{tj) = 0. The dynamic deadline at tf will be the relative 
deadline for the new task instance i.e. qn{tf) = Tn(tf). The state spare Sn{tf) 
is reset to zero since no time is available between tJ and t / . Therefore, we have 

when q„{tj) = : = T„{tf) and s„(t/) = 0. (13) 

In summary, according to and ([T^. the evolution for the state variables 
from tJ to tf can be written in a compact form as follows 

Qnitf) = QnitJ) + Tn{tf){l - Sgn(q„(i7))) 

Sn{tf) = Sn{tJ)sgn{qn{tJ)) (14) 

where sgn denotes the signum function, i.e. sgn(a:) = 1 when x > 0, sgn(a;) = 
when X = 0, and sgn(a;) — —1 when a; < 0. 

From tf to t: Next, we discuss the evolution for the state variables from i/ to 

te[tf,{tf + Lf}-]. 

(1) For the dynamic deadline qn{t), we know that the absolute deadline for the 
effective instance of t„ is at t + qn{t). Since this absolute deadline is also at 
tf + q{tf), we must have q-nit) + t = qn{tf) + tf. Therefore, the equation for 
quit) can be written as 

q„{t) =tf +q„{tf) ^t. (15) 

(2) For the spare s„(t), we know that the computation of t„ is preempted until 
the computation of all higher priority tasks are completed. Then, the amount 
of time within [tf,t] that is available to compute r„ is 

max{0,t~tf- J2 ^»(*/)}- (16) 

where J2iehp{n tf) '''ii'^f) denotes the time allocated to compute tasks with higher 
priorities than t„. The function max guarantees that it will not give a negative 
result. Therefore, the amount of time that is available to compute the effective 
instance of t„ from its time of arrival to t is 

s„(i) =s«(^/) + max{0,t-i/- ^ n{tf)}. (17) 

In summary, according to (jl5p and (1171) . the evolution for the state variables 
from tf to t £ [tf,{tf + Lf}^] can be expressed as 

qn{t) = tf + qn{tf) - t 

s„(i) =s„(t/)+max{0,t-t/- ^ n{tf)}. (18) 

i^hp{n,t f) 

where ri{tf) = max{0, Ci(t/) — Si{tf)} according to equation ([7]). 

The mathematical equations discussed in (fT4|) and (jlSp constitute the dy- 
namic timing model within one fixed priority window [tf,{tf + Lf}~], which 
can be implemented using Algorithm [TJ Given the initial values of the state 
variables at tJ, i.e. Q{tJ) and S{tJ), and the task characteristics within the 
fixed priority window, i.e., {Cnit)}^^i and {r„(t)}^^j for t e [tf, {tf + Lf}~], 
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Algorithm 1: Model 



/* whent e [tf,{tf + Lf}-]*/ 

Data: tj, t, Q{tJ), SitJ), {C„(i)}Li, 

Result: Q(t), S{t) 

1 for each task Tn G T do 

/*the value of Q, S at i/*/ 
^"(i/) = gn(i7) + r„(i/)(l - sgn((7„(t7))); 

= s„(t~)sgn(g„(t~)) ; 
r„(i/) = max{0, C„(t/) - s„(t/)}; 
/*the value of Q,5 at i e [tf,{tf + Lf}-]*/ 
qn{t) = tf + q„{tf) ~ t ; 

Suit) = Snitf) +max{0,t~tf ^J2tehp{n.tf)rz{tf)h 
7 return Q{t),S{t); 



we can use Algorithm [T] to obtain the evolution of the state variables from 
to any time [tf,{tf + Lf}~]. The dynamic timing model within any time 
interval [ta,^b] can be achieved by iteratively applying Algorithm [1] to all the 
fixed priority windows. 

2.2.5 Scheduled Behaviors of Tasks 

We demonstrate how to use the dynamic timing model to describe the sched- 
uled behaviors of the real-time tasks. Consider F = {ti,T2,--- iT^t}, we first 
describe scheduled behavior of task r„ from T. Within each fixed priority win- 
dow [tf,{tf + Lf}~], the scheduled behavior of task r„ may go through three 
modes that will be indicated by a function ^n{t)- 

The preempted mode: the computation of the effective instance of r„ is 
blocked by tasks with higher priorities. This behavior is indicated by letting 
^n{t) = 0.5. It starts from the beginning of the fixed priority window tf and 
lasts for the amount of time niinj^jg^pj^j^ ^^-j ri(t/), L/}, which is the sum of 
the remaining computing time of all higher priority tasks; 

The execution mode: the effective instance of r„ is being computed by 
the CPU. The scheduled behavior is indicated by letting $„(i) = 1. It starts 
right after the preempted mode and lasts until the computation of the effect 
instance of t„ completes, which equals tf + ^^^{'^i^iip(^n,tf )+{n} 

n{tf),Lf}; 

The free mode: the computation of the effective instance of r„ has com- 
pleted and new instance has not arrived. The scheduled behavior is indicated 
by letting $„(i) = 0. It starts right after the execution mode and lasts till the 
end of the fixed priority window. 

In summary, the scheduled behavior of r„ within one fixed priority window 
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Figure 3: The scheduled behaviors of F within [9.29,9.63] seconds. The upper 
figure is produced by TrueTime, the lower figure is produced by the dynamic 
timing model. Jitters are marked by arrows. 



[tf,{tf + Lf} ] can be expressed as 



0. 5, te[ tf , t/+min{ J2 ^dtf),Lf} ] 

hp{n,tf) 

1, ie(t/ + min{ r,{tf),Lf} , + min{ ^ n{tf),Lf} 

hp(n.tf) hp[n.t f)-\-{n} 

0, te{ tf + mm{ J2 n{tf),Lf] , {tf+LfY ] 

ie hp{n.tf ) + {n} 

(19) 

where ri{tf) = max{0, Ci{tf) — Si{tf)}. 

As it shows, the scheduled behavior of t„ within one fixed priority window 
[tf, {tf + Lf}~] can be described by the state variables within [tf, {tf + Lf}~]. 
Applying the same methodology for all tasks in F, we can derive the scheduled 
behavior of the real-time system within [tf, {tf + Lf}~]. As the fixed priority 
window propagates forward, the state variables will evolve according to the 
dynamic timing model in Algorithm [T] With the state variables evolving from 
ta to th, we obtain the scheduled behavior of the real-time system over the time 
interval [ta, ti,]. 



2.2.6 Verification of the Dynamic Timing Model 

To verify the dynamic timing model, we compare the scheduled behavior of the 
real-time system derived from the dynamic timing model with the scheduled 
behavior of the same real-time system simulated using TrueTime 11 . TrueTime 
is one of the most commonly used software tools that facilitates research on 
real-time systems. TrueTime and the dynamic timing model work in different 
ways. TrueTime simulates a computer with a real-time kernel and maintains 
data structures that are commonly found in the real-time kernel, such as ready 
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queues, time queues, records for tasks, interrupt handlers, monitors, timers 
and so on The dynamic timing model uses mathematical equations to 

analytically model the scheduling behavior, as shown in Algorithm [T] and ([T^ . 
For the same real-time system, ideally TrueTime and the dynamic timing model 
should provide the same result. However, we find incorrect jitters in the behavior 
generated by TrueTime 1.5 implemented in MATLAB. These jitters do not exist 
in the behavior generated by the dynamic timing model. 

Suppose at time 0, the state state variable Q{0~) = R{0~) = 0. Con- 
sider a real-time system with three acyclic tasks running on it. The three 
acyclic tasks have the characteristics as [Ci{t),C2{t),C3{t)] — [4,4,4]ms and 
[Ti{t),T2{t),T3{t)] = [15.4, 20.8, 30.3]ms for t e [0, 10]s. We are interested in 
the scheduled behavior of the real-time system within [0, 10]. We run the sim- 
ulation from to IDs using TrueTime 1.5 implemented in MATLAB. Side by 
side, we evaluate the dynamic timing model and ([T^ using MATLAB from 
to IDs. Figure [3] shows the comparative results of the scheduled behavior of the 
real-time tasks between the two different methods within [9.29, 9.63]. 

By comparison, we see that the scheduled behaviors generated by TrueTime 
1.5 and the dynamic timing model are identical for most of the time. The iden- 
tical part indicates that the dynamic timing model can be used to describe the 
scheduled behavior of the real-time system as precisely as TrueTime. However, 
the scheduled behaviors generated by TrueTime 1.5 and the dynamic timing 
model are not identical for 4>2(t) when t G [9.3016, 9.3056]s and for $3(t) when 
t G [9.5788, 9. 5828]s. Further exploration shows that the differences are due 
to jitters caused by the numerical inaccuracy in TrueTime 1.5 implemented 
in MATLAB, as illustrated in the upper half of Fig|31 As a simulation tool, 
TrueTime 1.5 inevitably has truncation errors that accumulate with numerical 
integration. Since the dynamic timing model presented in this paper is based 
on mathematical equations, the system behavior at time t can be determined 
by evaluating functions without using numerical integration. Hence the chances 
for jitters are significantly reduced. No jitters are observed from the lower half 
of Fig. 131 This indicates that the dynamic timing model may be used side by 
side with TrueTime to resolve jitters. 

2.3 Dynamic Schedulability Test 

In Section r2.2[ we have established a dynamic timing model that can analytically 
describe the evolution of the state variables from ta to tb- In this section, 
we study how to utilize the dynamic timing model to perform the dynamic 
schedulability test over [fQ,tb]- The success of this test requires the knowledge 
of the task sets within [ta,tb\, as stated in Assumption 12.51 

For the set of real-time tasks F = {ti,T2, ■ ■ ■ ,tn}, the dynamic schedula- 
bility test over [ta,tb] can be decomposed to check whether each task t„ of F 
is able to meet its deadlines within each fixed priority window that belongs to 
[ta,ti,]. This is due to the following facts: (1) F is schedulable within [tajh] if 
and only if F is schedulable within each fixed priority window [tf(w), {tf{w) + 
Lf{w)}~], for w = 1, 2, • • • ; (2) F is schedulable within any fixed priority win- 
dow [t f (w) , {t f (w) + Lf{w)}~] if and only if each individual task r„ G F is 
schedulable within [tf{w), {tf{w) + Lf{w)}~]. The following theorem states the 
necessary and sufficient conditions for the schedulability of t„ within any fixed 
priority window [tf{w), {tf{w) + Lf{w)}~]. 
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Theorem 2.13 A task Tn is schedulable within [t f (w) , {t f (w) + Lf(w)} ] if 
and only if it satisfies ONE of the following two conditions: 

1- qn{{tf{w) + Lf{w)}-) = and C„({i/(w) + Lf{w)}-) < s„({i/(w) + 

%H}-); 

2. qn{.{tf{w)+Lf(w)}-)>G. 

Proof If an instance of t„ expires at tf{'w) + Lf{w), i.e. qn{{tf{w) + 
= 0, then the schedulabihty of t„ within [t j (w) , {t f (w) + Lf{w)}^] 
is satisfied if and only if the computation of this instance has completed, i.e. 

r,,i{tfiw)+Lf{w)}-)^0. 

According to ([7]), the above equation can be rewritten as 

max{0, Cn{{tfiw) +Lf{w)}-) - s„({i/M + = 0, 

which implies that 

Cn{{tf{w) + Lf{w)}-) < Sn{{tf{w) + Lf{w)}-). (20) 

If no instance of T„ expires a± t f (w) + L f (w) , i.e. qn{{tf{'w)+Lf{w)}^) > 0, 
then the schedulabihty of t„ within [tf{w), + Lf{w)}~] is automatically 

guaranteed. ■ 

According to Assumption 12.51 we can predict the actual task characteristics 
{Cn{t)}n=i a-nd {Tn(t)}^^i within [tai^h]- Given the actual task characteris- 
tics {Cn{t)}^^i and {Tn{t)}^^-^ for t e [ta,tb], we can perform the dynamic 
schedulabihty test over the time interval [ta,ih] using Algorithm [21 Algorithm 
[5] iteratively checks the schedulabihty of T within each fixed priority window 
in the following ways: (1) first, at the beginning of any sub-interval, it calcu- 
lates the length of the current fixed priority window L f according to equations 
([TTT) . as shown in Lines 10 of Algorithmic] (2) then, it utilizes the dynamic 
timing model in Algorithm [T] to obtain the values of the state variables at the 
end of the current fixed priority window, as indicated by Line 11; (3) finally, it 
evaluates the schedulabihty of r„, where n — 1, • • • , A'^, within [tf,{tf + Lf}~] 
according to Theorem l2.13l as shown in Lines 12 — 20 of Algorithm [2j To make 
the fixed priority window propagates seamlessly within [ta,tb], it assigns the 
starting time of the next fixed priority window to be the ending time of the 
current fixed priority window, as indicated by Line 20. 

The variable ds„(i(;) indicates the dynamic schedulabihty test result of r„ 
within [tf{w), {tf{w)+Lf{w)}~]: when t„ is schedulable within [tf{w), {tf{w) + 
Lf{w)}~], ds„(u') = 1; otherwise, ds„(u') = 0. The set DS„ = [ds„(l), ds„(2), • • • ] 
contains the dynamic schedulabihty test results of t„ within all fixed priority 
windows that belong to [ta,tb\. The task t„ is schedulable within [ia,^ti] if 
and only if min{DSn} = 1. The task set F is schedulable within [tajife] if 
and only if all individual tasks are dynamically schedulable within [ia,^;,], i.e. 
mini<„<Ar{min{DSn}} = 1. 

2.4 A Measure of Robustness 

We let {C^°"\t)}^^^ and {r^°"'(i)}^^Li denote the nominal task characteristics 
known at the design phase, and let {Cn{t)}^^i and {Tn{t)}^^i denote the 
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Algorithm 2: Dynamic Scliedulability Test 



/*Scliedulability of T witliin [ta,tb] */ 

Data: Q{t-), S{t-), {C„(i)}^=i, {T„(t)}^^i 

Result: {DSn}Li 

^ tf = ta] 

2 for each t„ G F do 

3 LDSn = []; 

/* check cacli fixed priority window*/ 

4 while tf <tb do 
I* The length of the current fixed priority window Lf */ 
for each r„ € F do 

if Qnitj) == then 
L = Tn{tf); 

else 

L 1n{tf) = qn{tjy, 

Lf = mm{qi{tf). ....qN{tf)M- tf}- 

/* State Variables at the end of the current fixed priority window */ 

[Q{{tf + Lfr),S{{tf + Lf}-)] = 

Mode\{tf,{tf + %}-, Q(i7), 5(^7), {c„(t)}^^i, {r„(t)};ti); 

/* Schedulability within the current fixed priority window */ 
for each t„ e F do 

if qn{{tf + Lfy) then 

if C„({i/ + Lf]-) < Sn{{tf +Lf]-) then 
|_ dSn = 1; 
else 
L ds„ = 0; 

else 

|_ dsn = 1; 
DSn = [DSn,dsn] ; 

= + ; 

22 return {DSn}n=i; 
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actual task characteristics under online perturbations. We assume that there 
is no perturbation on the relative deadlines, i.e. Tn{t) = r^°™(t) for n — 
1, 2, ...,N. This assumption is reasonable in control and robotics applications, 
where r„(t) represent sampling times that are often fixed. At time t, we define 
the (instantaneous) perturbations on computing times as follows: 

Definition 2.14 The perturbations on computing times are defined as a vector 
E{t) = [ei(0,...,eAr(i)], where e^t) = Cn{t) - Cr%t) for n = 1,2, N . 

The value of e„(t) can be either positive or negative. If C„(i) > C^°™(i), then 
e„(t) is positive. Note that in future works, T„(t) may be viewed as a control 
variable that can be adjusted to tolerate the perturbations in similar ways as 
the general elastic scheduling algorithms [TUJ [T^] . 

Next, we consider the accumulated effect caused by the perturbations £{t) 
over time. These effects will be captured by defining perturbations on the state 
variables. We let {QT'^it)}^=i and {S^°'''{t)}^=i denote the state variables in 
the nominal case, and let {Qn{t)}n=i and {Sn{t)}^^i denote the state variables 
under accumulated perturbations. Since T„(i) = T^°™-{t) for n = 1,2, N , we 
know that the absolute deadline and the time of arrival of each task instance 
in the nominal case is the same as these in the actual case. Thus, according to 
Definition 12.61 we know that the dynamic deadline of each task instance in the 
nominal case is the same as that in the actual case, i.e. 

= <zr"(i) (21) 

which, together with (|11L implies that 

tf{w)^tf^^{w) Lf{w) ^ Lf^iw). (22) 

On the other hand, since C„(i) ^ C^°™(t), we know that the spare of each task 
instance in the nominal case is different from that in the actual case, i.e. 

Sn{t) ^ sl°^{t). (23) 

Equations (^1]) and indicate that there are perturbations on the state vari- 
able S, but not on the state variable Q. We define the perturbations on the 
state variable 5* as follows: 

Definition 2.15 The perturbations on the state variable spare is defined as a 
vector Hit) — [rii(t), ...,r]N(t)], where rin{t) denotes the strength of the pertur- 
bation on Sn(t), i.e. 

Vnit) - -{Sn{t) - sr\t)) (24) 

where we use a negative sign because a positive perturbation imposed on the 
computing time of a task instance will reduce the value of the spare. 

According to the above analysis, we know that at any time t, the total 
perturbations imposed on the real-time tasks consist of two portions: £{t), the 
perturbations on the computing time, and Hit), the perturbations on the state 
variable spare, which reflects the accumulated effect of £{t) before time t. The 
total perturbations imposed on the real-time system at time t are the summation 
£{t)+nit). 

In particular, the total perturbations imposed on one task at time t can 
be expressed as e„(t) -t- ri„{t). We are interested in finding the maximum total 
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perturbations e„(t) + r]n{t) that can be tolerated by a single task t„ without 
sacrificing the schedulability of t„. According to (pij) . (|22p and Theorem 12.131 
we can easily prove the following claims. 

Claim 2.16 r„ is schedulable within [t f (w) , {t f (w) + Lf{w)}~] under pertur- 
bations e„(i) + rin{t) if and only if ONE of the following two conditions are 
satisfied: 



1. qni{tf{w) + Lf{w)}-) = and e„({i/H + L/H}") + nn{{tf{w) + 
Lfiw)}-)< s^"" ({^r'" H+Lf"" H}~)- C^""" ({i/™' {w)+Lf"' (w)}-) ; 

2. qn{{tf{w)+Lf{w)}~)>0. 



We introduce a measure of robustness Bfi that quantifies the tolerance of 
a real-time scheduling algorithm to uncertain perturbations to the computing 
times of tasks within [ta,ti,]. A real-time scheduling algorithm with a larger 
value for Bn is more robust than a real-time scheduling algorithm with smaller 
values for Br. 

Definition 2.17 1/Fe lie/ine a measure of robustness _Bfl (u') over the fixed prior- 
ity window [tf{w), {t f{w) -\- L f{w)}~] where w — 1,2, ... as the least upper bound 
on the tolerable perturbations for all task instances expiring at tf{w) -\- Lf{w), 
i.e. 



We define the measure of robustness Bji over time interval [ta,tf,] as the mini- 
mum value of Bfi(w) i.e. 



Claim 2.18 Within [ta,ti)], the nominal design of an acyclic task set under a 
real-time scheduling algorithm is schedulable under any perturbation of a strength 
less than Br. 

Proof Suppose an arbitrary task t„ suffers the perturbation e„({t/(ii;) -|- 
^/(^)} ) ~^'nn{{tf{w)-\-Lf(w)}~) at the end of a fixed priority window [tf{w), {tf(w)+ 
Lf{w)}~]. If qn{{tf{w) A- Lf{w)}^) > 0, the second condition in Claim [^TTCl is 
satisfied and t„ is schedulable under the perturbation; if qn{{tf(w)-\-Lf{w)}^) = 
0, we have that €n{{tf{w)-{-Lf{w)}~)-\-r]n{{tf{w)+Lf{w)}~) < Br < Br{w) < 
sl°"'i{tf\w) -f Lf"\w)y ) - C:^°"\{tf"'{w) -\- Lf"\w)}-). Thus, the first 
condition in Claim 12.161 is satisfied and r„ is schedulable to the perturbation. 
Since the above proof holds for any task within any fixed priority window that 
belongs to [ta,tb], the nominal design is schedulable under any perturbation of 
a strength less than Br. ■ 
At any time ta, if we input the nominal task characteristics {T^°'^{t)}n^i and 
{C!^°'^{t)}n=i to AlgorithmlU we can obtain the evolution of the nominal state 
variables {(9r'"(*)}n=i and {S^°'^{t)}^^^ from ta to tb by iteratively applying 
the dynamic timing model in Algorithm[T] Moreover, the right hand side of ([^5)) 
is computed at ta by using the nominal state variables. Therefore, the measure 
of robustness of the real-time system Br can be predicted at ta without relying 
on Assumption 12.51 




(25) 



Br = minBR{w). 



(26) 



W 
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Figure 4: Chen and Mora's battery model 



3 Robustness in Battery Management 

Robustness of a battery management algorithm can be measured by its tolerance 
to potentially harmful discharges and variations in battery parameters. The 
tolerance decreases when the SoC decreases as the battery is being drained. 
Battery management algorithms can be developed to manage multiple batteries 
at the same time, so that a battery near the point of depletion can be replaced 
by a freshly charged battery. We will show that the SoC of a battery can be 
estimated at any point of time during system operation using the combination 
of a dynamic battery model and the dynamic timing model developed in the 
previous section. We further present an algorithm to predict whether the battery 
is capable of maintaining a steady output voltage when it is supporting a time- 
varying load. The methodology used to detect impending battery failure can 
be used in any battery management system to increase robustness. 

3.1 Background 

3.1.1 Dynamic Battery Model 

Battery modeling is a challenging task due to complex electro-chemical processes 
occurring within a battery |3 11130] . Battery models can be represented in various 
forms. Chen and Mora [13] provide models that are verified by experimental 
data and are more suitable to be combined with our dynamic timing model. 

Chen and Mora's model as shown in Figure S] is an equivalent circuit rep- 
resentation of a Lithium-ion (Li-ion) battery. The model has two coupled 
circuits. The circuit on the left models the SoC xi and the circuit on the 
right models the variation of the battery output voltage y as a function of the 
charge/discharge current i(t). It must be noted that all the circuit components 
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Cts, Cti,Rs, Rts,Rti,Eo, Cc are nonlinear functions of xi as follows: 

(27) 
(28) 
(29) 
(30) 
(31) 

■19X1 (32) 

- fc20Xi^ + k2lXi^ 

Cc = 36OOC/1/2. (33) 

where fc; > for i = 1, 2, 21. In eqn. (1551) /i, /2 G [0, 1] are factors taking into 
account the effects of temperature and charge-discharge cycles respectively. By 
default, /i = /2 = 1, but their values will decrease after each charge-discharge 
cycle. The various resistances, capacitances, and constants (fci, • • • , ^21) shown 
here are independent of i(t). Hence it enables one to experimentally determine 
these parameters at different stages during the life of a battery [TH [3J [351 HI] ■ 
The experimental data justifies that the model can be applied to applications 
with acceptable accuracy. 

Knauff et.al. [20] provide a state space realization for the above battery 
model. We have introduced minor modifications to aid our analysis. 

ii = (34) 

X2 i 

2^2 = - D ^ + TT- (35) 
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±3 = --^-7^ + 7^ (36) 
y = Eo - X2 - X3 - iRs, (37) 

where y represents the voltage output from the battery, X2 represents the voltage 
drop across Rts\\Cts, and 2:3 represents the voltage drop across Ra\\Cti. 

3.1.2 Voltage Thresholding and Capacity Thresholding 



Figures 5(a) and 5(b) show typical battery characteristics. One important prob- 
lem is how to detect battery failure based on these characteristic curves. The 
horizontal and vertical dashed lines represent static thresholds on the termi- 
nal voltage and the SoC respectively. The Voltage Thresholding (VT) method 
detects battery failure when the output voltage of the battery drops below a 
threshold represented by the horizontal line. The Capacity Thresholding (CT) 
method detects battery failure when the SoC of the battery drops below a 
threshold represented by the vertical line. 



Each curve in Fig. 5(a) shows the relation between the SoC and terminal 
voltage for a specific constant value of the discharge current. For a load current 
of 0.5A or lA the voltage threshold of 3.7V (shown by the horizontal dashed 
line) detects battery failure when the battery voltage starts declining rapidly. 
However, for a load current of 2A, VT detects failure with SoC still at 50%. 
Assuming that the voltage has not fallen below the operational requirements of 
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(a) V versus xi (b) V versus t 



Figure 5: The characteristics of battery vohage variations, (a) The changes in 
battery voltage as a function of SoC for different constant current loads, (b) 
The variation of battery voltage with respect to time 't' for different values of 
/2 at the same constant current load. 



the system, this would result in switching a battery out of service unnecessarily. 



The vertical dashed line in fig. 5(a) shows an SoC threshold of 0.1. For loads 
of lA and 2A, CT detects failure correctly. But for a lighter load of 0.5A, CT 
detects failure even though the terminal voltage is higher than the previously 
set threshold. Thus the battery is switched out earlier than necessary in this 
case. 



Figure 5(b) shows the variation of battery voltage with respect to time t 
for different values of /2 at the same constant current load. The horizontal 
dashed line represents a voltage threshold of 3.5V. When /2 — 0.1, VT based 
on this threshold detects failure right before the terminal voltage starts declining 
rapidly. However if /2 = 0.5 or 1, VT switches out the battery early since the 
figure shows that the terminal voltage does not start dropping rapidly for a long 
time after failure is detected. 

VT and CT are generally used to detect battery failure [HI [55] . From 
figures 5(a) and |5(b)] it is obvious that changes in the load current i and /2 can 



cause static thresholds to be overly conservative. This can cause batteries to be 
switched out of the system when there may be a significant amount of usable 
capacity available. We call this phenomena the false alarm. False alarms will re- 
duce the operational life of battery supported systems and increase maintenance 
cost. 

We will design a new algorithm, called the Adaptive Thresholding (AT), 
which is able to determine an adaptive threshold that adjusts automatically to 
the changes in the battery parameters. This further leads us to the notion of 
robustness of battery switching algorithms. 

3.2 Battery Stability 

We observe that the battery system represented by eqns. (l34l) - (|37|) looses sta- 
bility (in the sense of control theory) when the battery terminal voltage drops 
suddenly. Consider the state xi as a parameter. Temporarily disregarding the 
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input i, the system in eqns. ([M)) - ([57)) can be rewritten using standard state 
space notation 13 as the foUowing non-autonomous system, 



where A{xi) 



CtsB.ts 







-1 

CtiRti 



(38) 



The above representation simphfies the nonhnear model of a battery to a hnear 
time- varying modeL 

Consider C'ts and Cti f^or our battery model where fci , ■ • • , fcg satisfy the 
condition < /ci < fc2 < ^3 < ^4 < ^5 < ^6- Regarding eqn. ((38t . our first 
stability result is based on the following candidate Lyapunov function and its 
time derivative: 

1 



:(^2 "I" ^3) 



RtsCti 



RtiCt, 



(39) 
(40) 



Lemma 3.1 Consider Cts,Cti, Rts, Rti, Vi, andVi inequations ([?7)) - (PT|) . (15^ . 
and (|40p respectively. Assuming that ■^ln(^) > -^Indl), for the SoC 
Xi G [0, 1] and discharge current i{t) > 0, there exist small positive num- 
bers {((5i,(52)|0 < 81 < 82} such that Vi > for xi G (0,(5i) and Vi < for 
xi e ((52, 1]. 

Proof We observe that Vi > 0, for all X2, X3 7^ 0. Since Rts, Rti have the form 
Qg-6a;i j_ where a,b,c > 0, then Rts,Rti > for all xi. Consider the case 

when Cts < 0. Solving eqn. ^7} for xi gives, xi < — -^In ^ff^ • Similarly, 

considering Cti < and solving eqn. I^E^ for xi gives 

'"(£)■ 

Let us define 61 and 62 as follows. 




Since < and k^ < k^, we have 61,62 > 0. Based on our assumptions we 
further have, < 61 < 62. Therefore, if xi < 61 then Cts, Cti < 0, which makes 
Vi positive. Similarly if xi > 62 then Cts, Cti > and Vi is negative. We have 
proved the existence of 61 and 62- ■ From the above proof, it is observed 

that the battery is unstable (in the Lyapunov sense [H]) when xi e {0,6i). 
When xi € (^2,1] the battery is stable. 61 thus provides the worst case limit 
for the SoC of a battery. If the SoC falls below , one must switch a battery 
out of service, otherwise the output voltage will soon drop below any specified 
bound. Note that the representation in eqn. simply aids in establishing 

the stability limits and is not used to explicitly replicate the dynamics. Hence 
it does not introduce any error. These limits are applicable even to the system 
in eqns. (|M)) - (P7)) . 

The following claim can be made based on the previous lemma. 
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Claim 3.2 If xi < 62, where 62 is obtained from lemma HOI then the Li-ion 
battery system represented by equation (j38p is not asymptotically stable. 

Proof From eqns. (j38l) - (P5)) it is obvious that if xi < 62, the two eigenvalues of 
A{xi) do not have negative real parts. Hence the system is not asymptotically 
stable. ■ This claim 

indicates that switching out a battery when xi < 62 is safer than switching out 
the battery later when xi < Si. Therefore, 62 can now be viewed as a threshold 
for the SoC of a battery to indicate when a battery needs to be switched out. 
Note that 62 does not depend on the discharge current i{t). 

Next, we develop an adaptive threshold that depends on i{t). We consider 
the nonlinear battery model represented by eqns. (|34[) - (I36I) with the input 
current i{t). Let us consider the following candidate Lyapunov function and its 
time derivative. 

V2 = \{xl+xl+xl) (44) 

(c'ts Cti Cc) i^RtsCts RtiCti} ^ ^ 

Lemma 3.3 Consider Cts,Cu, Rts, Rti, V2, and V2 defined in eqns. (|27p - pip . 
(1441) . and (j45p . Consider 62 obtained from Lemma \3.1l For the SoC Xi G 
[0,1] and Rts,Rti, Cts,Cti, X2,X3 > 0, there exist a small positive lower bound 
e{x2,X3) for the discharge current i(t) and a threshold /3{x2,X3,i) for xi such 
that ^2 < /3 < 1 cind the following two statements hold: (1) V2 > if xi < ^ 
and i > e; (2) V2 < 0, if Xi > /3 and i > e. 

Proof Considering V2 > we have, 

i^Cts Cti Cc) i^RtsC'ts RtiC'ti} ^ ^ 

Solving eqn. (UHl for xi gives, 

X, <cj — + — --(— ^ + ^^)]. (47) 
\Cts Cti i \RtsCts RtiCti J J 

Let us define the quantity on the right-hand side of eqn. (|T7)) as /3, 

P-cJ^ + ^-U^-,^)]. (48) 



Cts Cti i \RtsCts RtiCti 



From eqns. (|47| and (1481) we have V2 > when xi < p. Similarly, we can see 
that < when xi > (3. 

From eqn. (P5| it is obvious that for very small positive values of the dis- 
charge current i, the value of /3 will turn out negative. Solving eqn. for the 
current i when /3 = provides the lower bound e for the discharge current. 



X2 ^ X3 

RtsCts RtiCti J \Cts Cti 



(49) 



As per claim 1321 stability of the battery system requires xi > 62- Hence we 
proceed to prove /3 > S2 hy contradiction. Let us temporarily assume that 
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/? < ^2- Hence from eqn. (|T7| we have xi < 62- However, from eqns. (HI]) and 
we have that Cti < if xi < 62- Thus assuming (3 < 62 contradicts the 
condition Cu > 0. Hence by contradiction we have ^ > 62- Thus proving the 
existence of e(a;2,a;3) and l3{x2,X3,i). ■ 
The above resuh provides an adaptive threshold /3 for xi. Adaptive control 
theory (21) serves as an inspiration for this design. The threshold /3 dynamically 
adjusts itself to account for the number of charge-discharge cycles and varying 
current. Since 13 > 82, P provides a more conservative threshold than 62 for 
switching a battery out of service. From eqn. (pS)) we see that the states X2 
and X3 are required to calculate while /3 gives the threshold for xi. Hence all 
the three states need to be estimated. We discretize the model given by eqns. 
(IM1) - (I571) and run a particle filter to estimate the battery states. Satisfactory 
results from the particle filter have been observed, which are not presented 
in this paper since they are less relevant. Particle filtering is one of many 
approaches to state estimation. We use particle filtering because of the presence 
of nonlinearities in the battery system. Although computationally complex, the 
emerging new generation multi-core embedded systems may offer the required 
computational capability. Other methods like extended Kalman filtering (EKF) 
[5] which are computationally simpler can be used, although it may result in 
early/late switching out of a battery due to errors in the estimates. 

3.3 Robust Battery Switching 

Claim 13.21 provides the threshold 82 for xi below which at least one of the 
eigenvalues of A(xi) has a positive real part. We have shown that when xi < 62, 
the battery will become unstable, indicating that the condition of the battery 
has degraded. We can use this threshold for measuring robustness of battery 
switching algorithms. Variations in the battery discharge, the SoC, and the 
parameters can be viewed as perturbations to battery management algorithms. 

Definition 3.4 A battery management algorithm is robust if it guarantees that 
at the switching time instant when the battery is replaced, the SoC of the battery 
is above the threshold 62 e.g. Xi > 82. 

We develop a robust and adaptive switching algorithm, called the Adaptive 
Thresholding (AT), to switch out batteries close to the end of their lives. In Al- 
gorithm [3] we use the following quantities: h is the sampling interval in seconds, 
k is the time step at which the discharge current iit) and the battery output 
voltage V are measured, is the battery switching time instant and S — \ 
indicates switching is necessary. 

Our battery switching algorithm based on Lemma 13.31 provides a threshold 
/3. This threshold (3 adjusts itself to perturbations in the SoC and the battery 
parameters so that /3 < (52 is always satisfied. Hence our algorithm is robust by 
Definition lOl 

4 Application 

To demonstrate the relevance of the robustness analysis for CPSb, we study a 
simplified scenario as shown in Figure [6) Processor 1 issues control commands 
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Algorithm 3: Determine Battery Switcliing Time Instant Tg 
Data: y{k),i{k),e 
Result: 5 = [0, l],r5 

1 [ill, 2:2,^3] = PartideFilter{y{k),i{k)); 

2 Compute 13 and e using equations (^5)) and (gH]); 

3 if i{k) > e then 

4 ii xi < P then 

5 S — l,Ts — hk; 

6 else 

7 \_S = 0,Ts = -l; 

8 return S", Ts ; 




Measurement 



Figure 6: A two battery-powered bi-processor system controlling multiple pen- 
dulums with different physical parameters. 



to the motors on the bases of multiple inverted pendulums. Processor 2 runs the 
dynamic schedulability test and evaluates the particle filter that estimates the 
SoC of the battery based on measurements taken for the terminal voltage and 
the discharge current. We assume that Processor 2 implements the dynamic 
schedulability test described in section 12.31 and the battery management algo- 
rithm described in section [3?3l When the SoC of a battery is below a specific 
threshold, the working battery will be disconnected and the other fully charged 
battery is switched in. We simulate this scenario since it simplifies real systems 
where computing of real-time control tasks are typically separated from battery 
management circuits. Performing the schedulability test on a second processor 
can reduce the overhead on the first processor, where the real-time tasks are 
scheduled. The separation can be implemented by a dual processor system with 
the ability of programming each processor independently. 

The separation of the control and battery management on different pro- 
cessors does not conflict with the spirit of co-design. In fact, the control and 
scheduling on Processor 1 determines the battery discharge current that will 
affect the battery management algorithm on Processor 2. Through simulations 
based on this system, we demonstrate robustness of the system subject to both 
timing perturbations and discharge perturbations. 
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Scheduled Behavior Dynamic Schedulability 



(a) Scheduled Behavior of F (b) Dynamic Schedulability Test for F 

Figure 7: The pendulum system under the RMS algorithm subject to pertur- 
bations £{t) 

4.1 Real-time Tasks and Currents 

Suppose three pendulums are controlled by control signals ui, U2 and u^. These 
control signals are computed using methods in |39j . The three controllers im- 
plemented on Processor 1 can be viewed as three independent real-time tasks 
r = {ti, r2, Ta} that need to be scheduled. 

At the design phase, we assume that {t„}^^j^ are periodic tasks with the 
nominal computing times [Cf°'°(i), C^°"(t), Cf°'"(i)] = [4, 4, 4]ms and they are 
scheduled under the RMS algorithm. By solving a minimization problem as 
introduced in [35], we can determine the task periods to be [T^°'^{t),T^°'^{t), 
Tf°'^{t)] = [15.4, 20.8, 30. 3]ms. In this scenario, the task periods are fixed once 
chosen, i.e. T„(t) = T"°™(t) for n = 1,2,3. The control signals are kept 
constant during one task period and only updated at the end of each period. 
However, during runtime, {Cn{t)}n^i may deviate from {0^°"^ {t)}n=i due to 
online perturbations. Moreover, if a task cannot finish the computation by its 
deadline, the control output will not update at the end of this period. 

Assume that the online perturbations on the computing time {C"°™(i)}^=i 
are generated from a stochastic processes £{t) with their value at each point in 
time being random variables that are uniformly distributed within [— 1.5,4] ms, 
[— l,4]ms and [— l,2]ms. Suppose the sample value of £{t) within [10,13]s 
are known at time t = 10s. Then, we have the actual task characteristics 
[T,{t),T2{t),n{t)] = [Tr'"{i),T2"°-(i),T3"°-(i)] and C2(t), Cg^] = [Cr^{t)+ 

ei(t),CJ°'"(i) + e2(i),C^°™(t) + esit)] for t G [10,13]. To check the schedula- 
bility under the perturbations, the scheduled behavior of the real-time system 
is shown in Fig 7(a) and the result of Algorithm [5] is shown in Fig |7(b)[ In 



Fig 7(a) we observe that the value of $3(f) does not fall back to zero before 
its deadline at i = 11.8475s, which implies that the computation of ra fails to 
finish by its deadline. As we can see from the result of the dynamic schedulabil- 
ity test, DS3(t) = when t G [11.817, 11.8475]s, which indicates that T3 is not 
schedulable within [11.817, 11.8475]s. 

We assume that the pendulums are powered by permanent magnet DC shunt 
motors. The motors provide torque directly proportional to the current supplied 
[51] . The total load current drawn (ideally) from the battery can be written as: 
itot = P{\ui\ + |m2| + jwaj) + ipi + ip2- We explain each term and how they are 
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Current of Processor 1 



Total Current 




S 1 
g.0.9 




11.78 11.8 11.82 11.84 11.86 11.88 

Time-seconds 



'11 11.2 11.4 11.6 11.8 12 12.2 

Time-seconds 



(a) Current absorbed by the first pro- (b) Total current suppHed by battery 
cesser 



Figure 8: Current supplied by the battery 



determined: 



P is the constant of proportionahty relating the torque to the current 
drawn. For simplicity we assume that the constant is the same for the 
three motors. We also choose P = 0.1 for purposes of simulation. In 
reality this constant will change based on motor parameters and needs to 
be determined experimentally. 

We assume that the first processor consumes an average of 400mA when 
it is computing and 200mA when it is idle. Hence the current absorbed 



by the first processor is ip^ = (300 -I- 100<i>cpu)inA, as shown in Fig. 8(a) 



It is easy to verify that the result in Fig. 8(a) is consistent with the result 



of Fig. 7(a) in that $cpu = sgn{^i + $2 + ^3 



3. We assume that Processor 2 consumes ip^ = 300r7i^ constantly. 

Using the dynamic timing model and the controller models, we can predict 
the total load current supplied by the battery within [10, 13]s at time 10s, as 
shown in Fig. |8(b)[ In real life the current waveform may have small transient 
effects that are ignored here. We want to emphasize that all our methods 
developed in this paper and in [3 9) are analytical, hence the waveforms can be 
obtained analytically. 



4.2 Robustness of real-time scheduling 

We demonstrate that the scheduling algorithm with a higher Bfj is more robust 
to the perturbations. Given the task set for the three pendulums with 

[Cr^{t),Cr"'{t),Cr\t)] = [4,4,4]ms 

[T^°'^{t),T^°'^{t),T^°'^{t)] = [15.4, 20.8, 30.3]ms, (50) 

Consider two different scheduling algorithms as the RMS algorithm and the 
EDF algorithm. When the tasks are scheduled under the RMS algorithm, we 
calculate the value of Bn within [10, 13]s to be 8.8 according to Definition 12. 171 
When the tasks are scheduled under the EDF algorithm, we calculate the value 
of Bji within [10, 13]s to be 11.4. Since the system using the EDF algorithm 
has a higher measure of robustness as compared with the system using the RMS 
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algorithm, we conclude that the former is more robust to the perturbations con- 
sidered. Indeed, under the same perturbation £(t), our dynamic schedulability 
test has confirmed that the real-time task set under the EDF algorithm is still 
schedulable, but is not schedulable under the RMS algorithm. 

4.3 Robustness of the battery switching strategies 

We compare the results from the three battery switching algorithms: Voltage 
Thresholding (VT), Capacity Thresholding (CT), and Adaptive Thresholding 
(AT) . We perform two tests comparing the behaviors of the three battery switch- 
ing algorithms. 

Test 1: We assume that the battery supplies the controller and the three 
pendulums. Unexpected perturbations in load currents happen due to the loss 
of schedulability in the control tasks caused by the unexpected perturbation 
£{t) that makes certain pendulums fail to receive updated control signals for 
a short period of time. To regain control a large motor current needs to be 
supplied, thus causing a sudden drop in the terminal voltage of the battery. 

Test 2: We assume that the battery supplies different constant loads for 
an entire cycle (charge-discharge) of operation as the SoC of the battery varies. 
Such a test allows us to test the performance of the battery switching algorithms 
when dealing with a battery subjected to smooth loads of varying magnitude. 

For each battery switching algorithm used in a particular test, we simulate 
ten charge-discharge cycles on a 275mAh battery. After each cycle we assume 
that a certain amount of capacity loss occurs i.e. the value of /2 decreases. We 
assume /2 takes the values [1, 0.9, 0.8, • • • , 0.1] over the ten cycles. 

For VT we set the following criteria. A successful failure detection occurs 
when the terminal voltage V < 3.5 volts and the estimated SoC xi < 10%. A 
false alarm occurs if the voltage V < 3.5 volts when Xi > 10%. The false alarm 
happens when the algorithm attempts to switch out the battery on observing 
a temporary disturbance in load current even though the value of SoC is still 
larger than 10%. 

For CT the following criteria are used. A false alarm occurs when xi < 10% 
and V > 3.6 volts. This indicates that the algorithm is switching a battery out 
due to a perceived drop in the SoC although the terminal voltage is approxi- 
mately 2.8% higher than the voltage threshold used in the previous test. The 
algorithm misses a fault if xi < 10% and the battery terminal voltage has fallen 
by 33% or more from its initial no load value when /2 = 1 and xi = I. 

For AT we use criteria similar to CT. A false alarm is recorded if the terminal 
voltage of the battery at the instant of switching is higher than 3.6 volts. The 
algorithm misses a fault if the battery terminal voltage at the switching time 
instant has fallen by 33% or more from its initial no load value when /2 = 1 
and xi — 1. 

The test results are shown in the tables of Figure [HI The total number 
of simulation runs per test are T — 10. Let H, F and M be the number of 
successfully detected faults, false alarms, and missed detections respectively. 
Note that T = H + F + M. The fault detection rate (DR), false alarm rate 
(FAR) and the missed detection rate (MDR) are defined as H/T, F/T and M/T 
respectively, and DR + FAR + MDR=\. 

It appears that none of the algorithms miss a fault, i.e. all of them ultimately 
disconnect a dying battery out of service before the terminal voltage falls below 
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Algorithm type || PR | FAR | MDR | || PR | FAR | MDR 

VT II 40% I 60% I 0% I II 50% I 50% | 0% 

CT 100% 0% 0% 70% 30% 0% 

AT II 100% I 0% I 0% I II 100% I 0% I 0% 

(a) Test 1 - results (b) Test 2 - results 

Figure 9: Battery switching algorithm test results 

the criteria we set. VT produces false alarms six out of ten times in the presence 
of disturbances as shown in Figure IHl^a) . Even for smooth loads, VT produces 
five false alarms in ten trials as a result of changes in /2 as shown in [DJb) . It 
appears that CT performs well in the presence of disturbances as it produces 
no false alarms, however it produces three false alarms in ten trials when /2 
changes. AT produces no false alarms in any case. It out-performs VT and CT 
in these tests. 

5 Conclusions 

This paper follows an analytical approach to establish notions of robustness 
for real-time task scheduling algorithms and battery management algorithms. 
Combined with existing analytical results for robustness of control systems, our 
results provide a unified theoretical foundation for robustness of CPSb measured 
by the maximum tolerable perturbations in timing and battery capacity. Our 
results allow the entire system to be analyzed using the dynamic schedulability 
test, battery stability test and the stability test for feedback controllers. 
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